Methods, systems, and computer readable media for obscuring diameter node information in a communication network

ABSTRACT

According to one aspect, the subject matter described herein includes a system for a system for obscuring DIAMETER node information in a communication network. The system includes a DIAMETER agent platform. The DIAMETER agent platform includes a network interface for receiving a message from a first DIAMETER node. The DIAMETER agent platform further includes a DIAMETER information hiding module for modifying, in the first message, DIAMETER information for the first DIAMETER node so as to obscure the identity of the first diameter node. The diameter agent includes a routing module for routing the modified message to a second DIAMETER node.

PRIORITY CLAIM

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 61/351,923 filed Jun. 6, 2010 and U.S. ProvisionalPatent Application Ser. No. 61/367,367 filed Jul. 23, 2010; thedisclosures of which are incorporated herein by reference in theirentireties.

TECHNICAL FIELD

The subject matter described herein relates to methods and systems forcommunications in a DIAMETER network. More particularly, the subjectmatter described herein relates to methods, systems, and computerreadable media for obscuring DIAMETER node information in acommunication network.

BACKGROUND

In DIAMETER networks, messages and communications between nodes in thenetwork include information identifying the name and location of eachnode in the network. For example, when a request message is sent to arealm or domain in the network and is routed to the appropriate server,the request message and server's response each include informationidentifying the client and server, respectively, to each other.

DIAMETER messages exist in the format of request-answer messages. Allanswer messages travel back to the request source via the same paththrough which the request message was routed using hop-by-hop transport.When one DIAMETER node needs information from another DIAMETER node, thefirst DIAMETER node sends a request identifying itself and its realm ordomain, as well as identifying the realm or domain of the DIAMETER nodefrom which the first DIAMETER node needs information. The DIAMETERanswer message sent back from the DIAMETER node that receives therequest will include information identifying the receiving DIAMETER nodeand its realm or domain.

There are disadvantages associated with providing a requesting node withDIAMETER node identification and location information. This type ofinformation is generically referred to herein as DIAMETER nodeinformation. Providing DIAMETER node information to untrusted partiescould pose a security risk. By providing an outside node with a DIAMETERnode's address, the providing DIAMETER node becomes more susceptible toattacks. Also, it might be desirable for a service provider to withholdinformation about its network topology, such as the number of homesubscriber servers (HSSs) in the network, from its competitors, as anexample.

Accordingly, in light of these disadvantages associated with theinclusion of identifying information in DIAMETER messages, there existsa need for methods, systems, and computer readable media for obscuringDIAMETER node information in a communications network.

SUMMARY

According to one aspect, the subject matter described herein includes asystem for obscuring DIAMETER node information in a communicationnetwork. The system includes a DIAMETER agent platform. The DIAMETERagent platform includes a network interface for receiving a message froma first DIAMETER node. The DIAMETER agent platform further includes aDIAMETER information hiding module for modifying, in the first message,DIAMETER information for the first DIAMETER node so as to obscure theidentity of the first diameter node. The diameter agent includes arouting module for routing the modified message to a second DIAMETERnode.

According to another aspect, the subject matter described hereinincludes a method for obscuring DIAMETER node information in acommunication network. The method includes receiving, at a DIAMETERagent platform, a message from a first DIAMETER node. The method furtherincludes modifying DIAMETER information in the message received from thefirst DIAMETER node so as to obscure the identity of the first DIAMETERnode. The method further includes routing the modified message to asecond DIAMETER node.

The subject matter described herein for obscuring DIAMETER nodeinformation in a communication network may be implemented in hardware, acombination of hardware and software, firmware, or any combination ofhardware, software, and firmware. As such, the terms “function” or“module” as used herein refer to hardware, a combination of hardware andsoftware, firmware, or any combination of hardware, software, andfirmware for implementing the features described herein. In oneexemplary implementation, the subject matter described herein may beimplemented using a computer readable medium having stored thereoncomputer executable instructions that when executed by the processor ofa computer control the computer to perform steps. Exemplary computerreadable media suitable for implementing the subject matter describedherein include non-transitory devices, such as disk memory devices, chipmemory devices, programmable logic devices, and application specificintegrated circuits. In addition, a computer readable medium thatimplements the subject matter described herein may be located on asingle device or computing platform or may be distributed acrossmultiple devices or computing platforms.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the subject matter described herein will now beexplained with reference to the accompanying drawings, wherein likereference numerals represent like parts, of which:

FIG. 1 is a block diagram illustrating an exemplary LTE networkincluding the present invention according to an embodiment of thesubject matter described herein;

FIG. 2 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through a DIAMETER agentaccording to an embodiment of the subject matter described herein;

FIG. 3 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through a DIAMETER agentaccording to an embodiment of the subject matter described herein;

FIG. 4 is a signaling message flow diagram illustrating exemplarymessages communicated between an HSS and an MME through a DIAMETER agentaccording to an embodiment of the subject matter described herein;

FIG. 5 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through two DIAMETERagents according to an embodiment of the subject matter describedherein;

FIG. 6 is a block diagram illustrating an exemplary DIAMETER agentaccording to an embodiment of the subject matter described herein;

FIG. 7 is a flow chart illustrating an exemplary process for obscuringthe identity of a DIAMETER node in a communication network according toan embodiment of the subject matter described herein;

FIG. 8A is a table containing exemplary stateful topology hiding dataaccording to an embodiment of the subject matter described herein; and

FIG. 8B is a table containing exemplary stateless topology hiding dataaccording to an embodiment of the subject matter described herein.

DETAILED DESCRIPTION

In accordance with the subject matter disclosed herein, methods,systems, and computer readable media are provided for obscuring DIAMETERnode information in a communication network. Reference will now be madein detail to exemplary embodiments of the subject matter describedherein, examples of which are illustrated in the accompanying drawings.Wherever possible, the same reference numbers will be used throughoutthe drawings to refer to the same or like parts.

FIG. 1 is a block diagram illustrating an exemplary LTE networkincluding a DIAMETER agent according to an embodiment of the subjectmatter described herein. In FIG. 1, end user devices 100 (e.g., mobilehandsets) are connected to eNodeB 102A, which performs radio accessfunctions similar to a base transceiver station (BTS). A mobilitymanagement entity (MME) 104 performs authentication and tracking of enduser devices 100. MME 104 is connected to DIAMETER agent 106, whichincludes a DIAMETER information hiding module (DHM) 108 for implementinga diameter information hiding function. As will be described in moredetail below, DIAMETER information hiding module 108 strips DIAMETERidentification information from received messages so that the secrecy ofDIAMETER topology and node identification information is preserved.DIAMETER agent 106 is further connected to network nodes, such as homesubscriber server (HSS) 110 and policy and charging rules function(PCRF) 112. HSS 110 stores mobile subscription data. PCRF 112 providespolicy and charging control functions. DIAMETER agent 106 mayadditionally be connected to other network nodes, such as online andoffline charging systems, to provide additional functions and servicesto network subscribers.

FIG. 2 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through a DIAMETER agentaccording to an embodiment of the subject matter described herein. Inthe illustrated example, MME 104 on Sprint's network needs informationfrom HSS 110 on Verizon's network, for a Verizon customer who is roamingon Sprint's network. Sprint's MME 104 does not know the specific hostinformation for Verizon's HSS 110, just that the subscriber who isroaming is a Verizon customer. In step (1), MME 104 sends a DIAMETERUpdateLocation Request (ULR) message directed to Verizon's domain orrealm, i.e. “Destination-Realm=VZW.NET”. The ULR message includesDIAMETER identifying information, i.e. “Origin-Host=MME1” and“Origin-Realm=SPRINT.NET”. The ULR message may also include thesubscriber's International Mobile Subscriber Identity (IMSI) and anapplication ID.

The ULR message is received by Verizon's DIAMETER agent 106, whichincludes DIAMETER information hiding module 108. DIAMETER agent 106evaluates the message, determines which Verizon HSS 110 serves thissubscriber, and, in step (2), routes the message to the appropriateVerizon HSS 110. In addition, DIAMETER agent 106 may change the routinginformation to include information identifying the specific target host,i.e. “Destination-Host=HSS1”. Furthermore, DIAMETER agent 106 maymaintain state information about the message, as will be described ingreater detail below, regarding FIG. 8A. Next, HSS 110 retrieves therequested subscriber information and in step (3) sends a DIAMETERUpdateLocation Answer (ULA) message, directed to MME 104, back toDIAMETER agent 106, following a hop-by-hop transport protocol. The ULAmessage includes DIAMETER identifying information identifying HSS 110 asthe source host, i.e. “Origin-Host=HSS1” and “Origin-Realm=VZW.NET”.

At this juncture, DIAMETER agent 106, in order to withhold specific hostinformation from Sprint's MME 104, uses DHM 108 to obscure the identityof the source host by modifying the origin host identifying informationto indicate the message originated from a virtual host, i.e.“Origin-Host=HSS-Public”. Alternatively, DIAMETER agent 106 may replacethe actual source host identifying information with informationidentifying itself as the origin source, i.e. “Origin-Host=DSR” (where“DSR” is an identity that DIAMETER agent 106 recognizes as its own).Additionally, DIAMETER agent 106 may maintain information regarding thevirtual host identity used for this message from HSS 110, as isdiscussed in greater detail below, regarding FIG. 8B. At step (4),DIAMETER agent 106 sends the modified ULA message to MME 104.

DIAMETER agent 106 may use a single virtual identity for all the networkelements it is protecting, e.g. “HSS-Public” as the virtual hostidentity for all HSSs in the network, or assign a virtual host identityto smaller groups of network nodes. Alternatively, DIAMETER agent 106may use a different virtual host for each host node in its network, forexample, if the goal was simply to mask the identities of network nodesbut not to hide the number of network elements currently deployed. Inanother alternative embodiment, DIAMETER agent 106 may associatemultiple virtual host names with a single host node, to further obscurethe network's topology by making it appear as though there are morenetwork nodes than the network actually has. DIAMETER agent 106 may alsochange the virtual host name for any or all network nodes periodically,such as once per day, for example, or at non-regular intervals, forexample, in response to some event.

Additional messages involving this subscriber may be identified by thesubscriber's IMSI and may be directed to this virtual host address,i.e., “Destination-Host=HSS-Public”. Any such messages would be receivedby DIAMETER agent 106, which is then responsible for resolving theactual host's identity and may use DHM 108 to modify the messageaccordingly, i.e. to update DIAMETER identification information toidentify “Destination-Host=HSS1”. DIAMETER agent 106 then routes themessage to HSS 110. DIAMETER agent 106 is responsible for maintainingsufficient mapping information to correctly associate an obscureddestination host identity, e.g. “HSS-Public”, and the actual hostidentity, e.g. “HSS1”, such that any subsequent messages involving thesubscriber are properly routed to the same host each time. Additionalanswer messages sent from HSS 110 in response will also be routedthrough DIAMETER agent 106, where again any DIAMETER identifyinginformation would be modified to hide the identity of the node fromwhich the answer originates.

FIG. 3 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through a DIAMETER agentaccording to an embodiment of the subject matter described herein. Inthe illustrated example, Sprint's objective is to mask the identity of aDIAMETER host serving a subscriber, or to conceal the number of networkelements currently deployed, in order to obscure its network topology,much like Verizon, as discussed above. In this example, Sprint wants tohide the identities of its MMEs and keep Verizon from knowing how manyMMEs Sprint has deployed. As described above, MME 104A on Sprint'snetwork needs information from HSS 110 on Verizon's network, for aVerizon customer who is roaming on Sprint's network. Sprint's MME 104Adoes not know the specific host information for Verizon's HSS 110, justthat the subscriber who is roaming is a Verizon customer. Therefore, instep (1), MME 104A sends a DIAMETER UpdateLocation Request (ULR) messagedirected to Verizon's domain or realm, i.e. “Destination-Realm=VZW.NET”.The ULR message includes DIAMETER identifying information, i.e.“Origin-Host=MME1” and “Origin-Realm=SPRINT.NET”. The ULR message mayalso include the subscriber's International Mobile Subscriber Identity(IMSI) and an application ID.

Prior to reaching Verizon's network, the ULR message is intercepted bySprint's DIAMETER agent 106, which includes DIAMETER information hidingmodule 108. DIAMETER agent 106 is tasked with obscuring Sprint's networktopology, and thus uses DHM 108 to obscure the identity of the sourcehost by modifying the origin host identifying information to indicatethe message originated from a virtual host, i.e.“Origin-Host=MME-Public”. Notably, in the illustrated example, a ULRmessage originating from MME 104B (not shown) would likewise be modifiedto indicate the message originated from a virtual host, i.e.“Origin-Host=MME-Public”. By identifying a single virtual host as theorigin host of all messages from any of Sprint's MMEs in this manner,DIAMETER agent 106 effectively conceals the topology of Sprint'snetwork, making it appear to outside network nodes as though Sprint onlyhas a single deployed MME.

In this example, DIAMETER agent 106 maintains state informationregarding the virtual host identity used for this message. DIAMETERagent 106 may store this information in a database or table such asmapping table 300. Mapping table 300 identifies the actual MME servingthe subscriber, i.e. associates MME 104A with “IMSI1”. Stateful andstateless implementations of the subject matter disclosed herein arediscussed in greater detail below, regarding FIG. 8B. At step (2),DIAMETER agent 106 sends the modified ULR message to Verizon's realm,where it is then routed to HSS 110. Additionally, HSS 110 would thenretrieve the requested information regarding the subscriber whose IMSIwas identified in the ULR message, formulate a ULA message including theretrieved information, and send the ULA back to MME 104A via hop-by-hoptransport protocol (not shown).

FIG. 4 is a signaling message flow diagram illustrating exemplarymessages communicated between an HSS and an MME through a DIAMETER agentaccording to an embodiment of the subject matter described herein. Theexample illustrated in FIG. 4 may be considered an extension of theexample illustrated in FIG. 3, where the messages of FIG. 4 subsequentlyfollow the messages illustrated in FIG. 3 and some later time within thesame session or series of messages involving the subscriber identifiedby IMSI1. However, it is notable that the messages of FIG. 4 are notresponses to the messages in FIG. 3, but rather a distinct, independentset of DIAMETER Requests and Answers.

Continuing with the example set forth in FIG. 3 above, after an initialconnection has been established (via the described ULR and ULAmessages), a plethora of DIAMETER messages may be communicated back andforth between MME 104A, masked as “MME-Public”, and HSS 110, and may beoriginated by either MME 104A or HSS 110, depending on the DIAMETERmessage type. FIG. 4 illustrates exemplary request messages originatedby HSS 110, such as a DIAMETER CancelLocation Request (CLR). Notably,HSS 110 is only aware of the identity of Sprint's virtual host,“MME-Public”. Thus, in step (1), HSS 110 creates a CLR message includingDIAMETER identifying information for the message source, i.e.“Origin-Host=HSS1” and “Origin-Realm=VZW.NET”, as well as the messagedestination, i.e. “Destination-Host=MME-Public” and“Destination-Realm=SPRINT.NET”, and the subscriber, i.e.“User-Name=IMSI1”. HSS 110 then routes this CLR message to Sprint'snetwork, where it is intercepted and processed by DIAMETER agent 106.DIAMETER agent 106 evaluates the message and may access stored mappingor state information to determine which MME is serving the identifiedsubscriber. Once MME 104A is identified as the actual destination host,in step (2) DIAMETER agent 106 modifies the intercepted CLR message toinclude “Destination-Host=MME1” and routes the CLR message to MME 104A.In step (3), MME 104A generates a corresponding DIAMETER CancelLocationAnswer (CLA) including DIAMETER identifying information, i.e.“Origin-Host=MME1” which it sends back to HSS 110, following ahop-by-hop transport protocol. In step (4), DIAMETER agent 106intercepts the CLA message which includes the identity of MME1 andmodifies the CLA message to identify “Origin-Host=MME-Public”, like allprevious messages in this session or in this series of DIAMETER messagesassociated with this subscriber and sent between MME 104A and HSS 110.

FIG. 5 is a signaling message flow diagram illustrating exemplarymessages communicated between an MME and an HSS through multipleDIAMETER agents according to an embodiment of the subject matterdescribed herein. In this embodiment, both Verizon and Sprint intend tohide their respective network topologies from the other party. Asdescribed above, MME 104 in Sprint's network needs information from HSS110 in Verizon's network for a Verizon customer who is roaming inSprint's network. Sprint's MME 104 does not know the specific hostinformation for Verizon's HSS 110, just that the person roaming is aVerizon customer. In step (1), MME 104 sends a ULR message directed toVerizon's domain or realm, i.e., “Destination-Realm=VZW.NET”. The ULRmessage includes DIAMETER identifying information, i.e.,“Origin-Host=MME1” and “Origin-Realm=SPRINT.NET”. The ULR message mayalso include the subscriber's IMSI.

DIAMETER agent 106A, including DIAMETER information hiding module 108and belonging to Sprint, intercepts this ULR message. In order towithhold specific information about the Sprint network topology,DIAMETER agent 106A modifies the message, using DHM 108, to hide theidentity of the Sprint node requesting information, and may replace thatidentification information with virtual host information, i.e.“Origin-Host=MME-Public”. Then, in step (2), DIAMETER agent 106A routesthe ULR message to Verizon's domain. DIAMETER agent 106A may also storestate information about the message prior to sending the message toVerizon, such as information identifying MME 104 as the MME currentlyserving the subscriber associated with “IMSI1”.

The ULR message is received by Verizon's DIAMETER agent 106B, includingtopology hiding module 108. DIAMETER agent 106B evaluates the messageand, at step (3), routes the message to the appropriate Verizon HSS 110.DIAMETER agent 106B may also maintain state information about themessage. HSS 110 retrieves the desired information and at step (4)generates and sends a ULA message, directed to MME 104, back to DIAMETERagent 106B, following hop-by-hop transport protocol. This ULA messageincludes DIAMETER identifying information, i.e. “Origin-Host=HSS1” and“Origin-Realm=VZW.NET”.

DIAMETER agent 106B using DHM 108, in order to withhold specific hostinformation from Sprint, replaces this information with virtual hostinformation, i.e. “Origin-Host=HSS-Public”. DIAMETER agent 106B maymaintain information identifying “HSS-Public” as the virtual host nameassociated with HSS 110. In step (5), DIAMETER agent 106B sends themodified ULA message to DIAMETER agent 106A, following hop-by-hoptransport protocol.

DIAMETER agent 106A receives the ULA message and may use stored stateinformation to determine which node on its network this ULA is actuallyaddressed to, i.e., MME 104. For example, DIAMETER agent 106B may storea transaction identifier from the outgoing ULR message and may use thattransaction identifier to locate the corresponding response message. Inan alternate implementation, DIAMETER agent 106B and in particular,DIAMETER information hiding module 108, may be stateless with regard tothe transaction involving the received message from which topologyinformation is extracted or hidden. In a stateless implementation, theDIAMETER information hiding module 108 may maintain a mapping betweenthe virtual identifier placed in the ULA message and the DIAMETERtopology information that was removed or obscured. This mapping may alsoinclude the subscriber's IMSI. When a subsequent message relating to asame transaction is received and is addressed to the virtual identifier,topology hiding module may use the stored mapping information whenreplacing the virtual identifier with the real DIAMETER identifier forthe destination. In step (6), DIAMETER agent 106B sends the ULA to MME104.

FIG. 6 is a block diagram illustrating an exemplary DIAMETER agentaccording to an embodiment of the subject matter described herein. ADIAMETER agent, such as DIAMETER agent 106, includes one or more networkinterfaces, such as network interfaces 600 and 604, a routing module602, and a DIAMETER information hiding module 108 for implementing atopology hiding function. It will be understood that DIAMETER agent 106may comprise additional components and is not limited to only thecomponents shown in FIG. 6.

In one embodiment, DIAMETER agent 106 receives a message, such as aDIAMETER Update Location Request (ULR) message, at a network interfacesuch as network interface 600. The message is passed to the topologyhiding module 108, which then determines if the message needs to bemodified before being routed to its destination. In this example, theURL message is not modified, and it is then passed to routing module602. Routing module 602 determines the appropriate destination of themessage and routes it through a network interface such as networkinterface 604.

DIAMETER agent 106 also receives a response message, such as a DIAMETERUpdate Location Answer (ULA) message, at a network interface 604. TheULA is passed to DIAMETER information hiding module 108, which thendetermines the message needs to be modified to obscure the identity ofthe origin host. DHM 108 modifies the message accordingly and passes themodified ULA message to routing module 602. Routing module 602 thenroutes the message to its destination via network interface 600.

Although DIAMETER information hiding module 108 and routing module 602are shown here as distinct components of DIAMETER agent 106, DIAMETERinformation hiding module 108 and routing module may be integratedwithin the same chip or executed by the same processor.

DIAMETER agent 106 may be any suitable node capable of receiving andforwarding DIAMETER signaling messages. In one embodiment, DIAMETERagent 106 may be a DIAMETER signaling router that routes DIAMETERsignaling messages based on DIAMETER information contained within thesignaling messages. DIAMETER agent 106 may be, in addition to or insteadof a DIAMETER signaling router, one or more of: a DIAMETER relay agent,a DIAMETER proxy agent, a DIAMETER redirect agent, or a DIAMETERtranslation agent, as described in IETF RFC 3588, the disclosure ofwhich is incorporated herein by reference in its entirety.

FIG. 7 is a flow chart illustrating an exemplary process for obscuringthe identity of a DIAMETER node in a communication network according toan embodiment of the subject matter described herein. In step 700, aDIAMETER agent having a topology hiding module 108, such as DIAMETERagent 106, receives a message at a network interface, such as networkinterface 604, including information identifying the node on its networkfrom which the message originated. In step 702, DIAMETER agent 106,using DHM 108, modifies the identification information in the message,i.e. changes the “Origin-Host=” field in the message. In step 704,DIAMETER agent 106 routes the message to its intended destination, usingrouting module 602.

FIG. 8A is a table containing exemplary stateful topology hiding dataaccording to an embodiment of the subject matter described herein. Asdescribed above, a DIAMETER agent, such as DIAMETER agent 106, maymaintain state information for messages routed through it or by it, ineither direction. State information may include a session ID, may bemaintained via reference to a subscriber's IMSI, or may be trackedthrough one of the many state-tracking mechanisms well known in the art.DIAMETER agent 106 may use this state information to resolve theappropriate destination node of additional communications involving thesame subscriber, should they occur.

A stateful implementation of the subject matter disclosed herein mayinclude maintaining mapping information, as illustrated by the MMEHiding Data table in FIG. 8A, which maps the association between asubscriber, e.g. “IMSI1”, a session, e.g. “session1”, the DIAMETER hostserving that subscriber, e.g. “MME1”, the DIAMETER realm, e.g.“SPRINT.NET”, and the virtual host identity, e.g. “MME-Public”. ADIAMETER agent 106 configured to obscure the topology of networksincluding elements such as MMEs will generally store state information,i.e. the relationship between a subscriber, an MME and a virtual host,that is generated dynamically. FIG. 8B is a table containing exemplarystateless topology hiding data according to an embodiment of the subjectmatter described herein. As described above, a DIAMETER agent, such asDIAMETER agent 106, may identify a virtual host as the “Origin-Host” formessages coming from its network, so as to hide the true identity of theorigin node or mask network topology information such as the number ofelements deployed in the network. A stateless implementation of thesubject matter disclosed herein may include maintaining mappinginformation, as illustrated by the HSS Hiding Data table in FIG. 8B,which maps the association between a subscriber, e.g. “IMSI1”, theDIAMETER host serving that subscriber, e.g. “HSS1”, the DIAMETER realm,e.g. “VZW.NET”, and the virtual host identity, e.g. “HSS-Public”. ADIAMETER agent 106 configured to obscure the topology of networksincluding elements such as HSSs will generally not storedynamically-created state information, as network elements such as HSSsare statically mapped, i.e. the same HSS will essentially always be thehost that serves a particular subscriber. Therefore, given therelationship between a subscriber, an HSS and a virtual host essentiallydoes not change, DIAMETER agent 106 may not need to track and storetransaction information such as a session ID to accurately map asubscriber ID to an HSS and virtual host identity.

It will be understood that various details of the subject matterdescribed herein may be changed without departing from the scope of thesubject matter described herein. Furthermore, the foregoing descriptionis for the purpose of illustration only, and not for the purpose oflimitation.

1. A system for obscuring DIAMETER node information in a communicationnetwork, the system comprising: a DIAMETER agent platform, comprising: anetwork interface for receiving a message from a first DIAMETER node; aDIAMETER information hiding module for modifying, in the first message,DIAMETER information for the first DIAMETER node so as to obscure theidentity of the first diameter node; and a routing module for routingthe modified message to a second DIAMETER node.
 2. The system of claim 1wherein the DIAMETER agent platform is configured to replace, in themessage, the DIAMETER information identifying the first DIAMETER nodewith virtual DIAMETER identification information.
 3. The system of claim1 wherein the first DIAMETER node is one of a home subscriber server(HSS) and a mobility management entity (MME).
 4. The system of claim 1wherein the second DIAMETER node is one of a mobility management entity(MME), a home subscriber server (HSS), a policy charging and rulesfunction (PCRF), an online charging system (OCS), and an offlinecharging system (OFCS).
 5. The system of claim 1 wherein the firstDIAMETER message includes one of an UpdateLocation Request (ULR)message, an UpdateLocation Answer (ULA) message, a CancelLocationRequest (CLR) message, a CancelLocation Answer (CLA) message,Credit-Control-Request (CCR) message, Credit-Control-Answer (CCA)message, Accounting-Request (ACR) message, Accounting-Answer (ACA)message, Re-Auth-Request (RAR) message, and a Re-Auth-Answer (RAA)message.
 6. The system of claim 1 wherein the DIAMETER agent platformmaintains state information associated with a transaction involving thereceived message.
 7. The system of claim 1 wherein the DIAMETER agentplatform is stateless with regard to a transaction involving thereceived message.
 8. The system of claim 1 wherein the DIAMETER agentplatform is configured to receive DIAMETER messages addressed to avirtual DIAMETER node and is configured to change a destination addressin the messages to an address of the first DIAMETER node.
 9. The systemof claim 1 wherein the DIAMETER agent platform comprises one or more of:a DIAMETER signaling router, a DIAMETER relay agent, a DIAMETER proxyagent, a DIAMETER redirect agent, and a DIAMETER translation agent. 10.A method for obscuring DIAMETER node information in a communicationnetwork, the method comprising: receiving, at a DIAMETER agent platform,a message from a first DIAMETER node; modifying DIAMETER identifyinginformation in the message received from the first DIAMETER node so asto obscure the identity of the first DIAMETER node; and routing themodified message to a second DIAMETER node.
 11. The method of claim 10wherein the DIAMETER agent platform is configured to replace, in themessage, the DIAMETER information identifying the first DIAMETER nodewith virtual DIAMETER identification information.
 12. The method ofclaim 10 wherein the first DIAMETER node is one of a home subscriberserver (HSS) and a mobility management entity (MME).
 13. The method ofclaim 10 wherein the second DIAMETER node is one of a mobilitymanagement entity (MME), a home subscriber server (HSS), a policycharging and rules function (PCRF), an online charging system (OCS), andan offline charging system (OFCS).
 14. The method of claim 10 whereinthe first DIAMETER message includes one of an UpdateLocation Request(ULR) message, an UpdateLocation Answer (ULA) message, a CancelLocationRequest (CLR) message, a CancelLocation Answer (CLA) message,Credit-Control-Request (CCR) message, Credit-Control-Answer (CCA)message, Accounting-Request (ACR) message, Accounting-Answer (ACA)message, Re-Auth-Request (RAR) message, and a Re-Auth-Answer (RAA)message.
 15. The method of claim 10 wherein the DIAMETER agent platformmaintains state information associated with a transaction involving thereceived message and uses the state information to deliver the firstmessage to the second DIAMETER node.
 16. The method of claim 10 whereinthe DIAMETER agent platform is stateless with regard to a transactioninvolving the received message.
 17. The method of claim 10 wherein theDIAMETER agent platform is configured to receive DIAMETER messagesaddressed to a virtual DIAMETER node and is configured to change adestination address in the messages to an address of the first DIAMETERnode.
 18. The method of claim 10 wherein the DIAMETER agent platformcomprises one or more of: a DIAMETER signaling router, a DIAMETER relayagent, a DIAMETER proxy agent, a DIAMETER redirect agent, and a DIAMETERtranslation agent.
 19. A non-transitory computer readable medium havingstored thereon executable instructions that when executed by theprocessor of a computer control the computer to perform stepscomprising: receiving, at a DIAMETER agent platform, a message from afirst DIAMETER node; modifying, in the first message, DIAMETERinformation for the first DIAMETER node so as to obscure the identity ofthe first DIAMETER node; and routing the modified message to a secondDIAMETER node.